Modeling Computer Attacks : A Target-Centric Ontology for Intrusion Detection

We have produced an ontology specifying a model of computer attacks. Our ontology is based upon an analysis of over 4,000 classes of computer attacks and their corresponding attack strategies, and is model is categorized according to: system component targeted, means of attack, consequence of attack and location of attacker. Our analysis indicates that non-kernel space applications are most likely to be attacked with the attack originating remotely. These attacks most often result in the attacker gaining root access. We argue that any taxonomic characteristics used to define a computer attack be limited in scope to those features that are observable and measurable at the target of the attack. We present our attack model first as a taxonomy and convert it to a target-centric ontology that will be refined and expanded over time. We state the benefits of forgoing dependence upon taxonomies for the classification of computer attacks and intrusions, in favor of ontologies. We illustrate the benefits of utilizing an ontology by comparing a use case scenario of our ontology and the IETF’s Intrusion Detection Exchange Message Format Data Model.

[1]  D. Curry,et al.  Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition , 2004 .

[2]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[3]  Chris Welty Towards a Semantics for the Web , 2000 .

[4]  Dan Brickley,et al.  Resource Description Framework (RDF) Model and Syntax Specification , 2002 .

[5]  Lee M. Rossey,et al.  Extending the DARPA off-line intrusion detection evaluations , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[6]  Kristopher Kendall,et al.  A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems , 1999 .

[7]  William L. Fithen,et al.  State of the Practice of Intrusion Detection Technologies , 2000 .

[8]  Julia H. Allen,et al.  Intrusion Detection 1 : Implementation and Operational Issues , .

[9]  Eugene H. Spafford,et al.  Use of A Taxonomy of Security Faults , 1996 .

[10]  Peter Szolovits,et al.  What Is a Knowledge Representation? , 1993, AI Mag..

[11]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[12]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[13]  Timothy W. Finin,et al.  Vigil: Enforcing Security in Ubiquitous Environments , 2002 .

[14]  Charles Nicholas,et al.  SHOMAR: An Open Architecture for Distributed Intrusion Detection Services , 2002 .

[15]  Biswanath Mukherjee,et al.  Network security via reverse engineering of TCP code: vulnerability analysis and proposed solutions , 1996, Proceedings of IEEE INFOCOM '96. Conference on Computer Communications.

[16]  Merriam Webster Merriam-Webster's Collegiate Dictionary , 2016 .

[17]  Robert L. Glass,et al.  Contemporary Application-Domain Taxonomies , 1995, IEEE Softw..

[18]  N. F. Noy,et al.  Ontology Development 101: A Guide to Creating Your First Ontology , 2001 .

[19]  Avi Pfeffer,et al.  Probabilistic Frame-Based Systems , 1998, AAAI/IAAI.

[20]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[21]  Edward G. Amoroso,et al.  Fundamentals of computer security technology , 1994 .

[22]  Dan Brickley,et al.  Resource description framework (RDF) schema specification , 1998 .

[23]  Sergei Nirenburg,et al.  Ontology in information security: a useful theoretical foundation and methodological tool , 2001, NSPW '01.

[24]  Giovanni Vigna,et al.  Intrusion detection: a brief history and overview , 2002 .

[25]  Erland Jonsson,et al.  How to systematically classify computer security intrusions , 1997, S&P 1997.